Re: [qubes-users] What hardware to buy for security?Best way to go about FDE? & 3-way authentication? discussion!

[Alex]

On 12/29/2016 08:22 AM, HiringQubesExperts wrote:
> Hi all,
> 
> I am planning on buying a 13.3 - 15.6 laptop that I will specifically
> use for running qubes, and containing lots and lots of highly
> sensitive files.
> []
> > I really hope we can start a discussion on these topics that will
> lead to a general what-should-I-buy advice when one wants maximum
> security from COTS hardware, and open software.
> 
The whole topic is not as simple as you put it: "security" is not a
linear measure, hardly even measurable. Hence you cannot ask for
"security" as a whole, and it does not come in handy packages on a
Walmart shelf.

What I generally recommend is to first model the threats, and then build
security accordingly. In your message you only mention "highly sensitive
files", but not your threats.

If you are afraid of software intrusions, you will want to isolate your
data from the internet, and then Qubes is a nice place to start. But
then you may probably have to make sure your usage habits are sound for
this goal (the switch can take some time to get accustomed to).

If you are afraid of casual physical thieves, a simple FDE (luks) is way
more than enough, but if you are dealing with people intentionally
pursuing your files then everything you mentioned in your e-mail is not
enough, just added complexity: you will need to think of fake volumes
and password for under-coercion data switch, bordering on plausible
deniability.

If the people pursuing your files have very strong motivations or a big
organization (say, a government), you may want to think out of the box
(i.e. thermorectal cryptanalysis, or the old but good
https://xkcd.com/538/ ): when the owner cooperates any lock opens, be it
a 3$ padlock or a multi-million-dollar fort.

Likewise, if you travel with that laptop, you may want to research
plausible deniability for sensitive data (make it look like the most
dumb windows laptop you can but), and having a biometric sensor /
unheard-of brands / custom bioses would only raise suspicion.

In any case you are likely to have to change some habits, to follow the
security guidelines you decide/plan.

Qubes by itself is a very nice foundation for both solutions for
physical security and software security, and you can add any other
feature you want to pick from your list, but just "adding them all" will
probably make your computer less secure overall (more software attack
surface) and will tire you with the security procedures, prompting you
to find shortcuts in the long run or abandon the whole "fort" altogether.

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/900deb4f-7114-c1cb-c7ce-5e50095228c2%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] What hardware to buy for security?Best way to go about FDE? & 3-way authentication? discussion!

[HiringQubesExperts]

Hi all,

I am planning on buying a 13.3 - 15.6 laptop that I will specifically use for 
running qubes, and containing lots and lots of highly sensitive files. 

I will also be using tor allot, and for me the main things I care about is 
being able to get my setup as secure as possible. 

Things i've thought about so far; 

OPAL SED SSD for HW based drive encryption. (Second FDE ofcourse)
USB PGP-Key for authentication and stuff., also contains (hidden) storage.
Keypad encrypted USB for hardware encrypted USB with bootfiles/keyfiles etc. 

Now for the laptop itself; 

Is TPM worth it? Im hearing mixed opinions... Also, I definately do not want to 
put all my eggs in one basket, so would using TPM be possible in a way that it 
is just one of several parts of the whole security-chain ? I would hate it if 
someone has a TPM backdoor and compromises my whole system that way, any way to 
design something with 2 or better yet; 3 way authentication ? 

What about the processor and bios? Are there any secure/open bioses that work 
with recent intel processors? 

As for the processor; are the SGX and other new features that skylake CPU's 
offer any good? Would it be possible to make use of these features in Qubes? 

If not, what processor would you guys recommend? I guess Intel right? Are there 
any laptops out there that have onboard security-hardware that offers any real 
solid security benefits? I've read allot of posts from Joanna where she kinds 
of debunks the Cortex M-3 security chip, so I am wondering; are there any other 
chips like these that are truly open source, and really add some security? 

What kind of laptop comes to mind when I'm asking for this kind of features? 
I'm having a very very hard time finding a laptop that I can setup in a way 
that would make me feel truly secure. I hope you guys can share some advice on 
these matters. 

P.S.
I'm using the PGP-key stick, and USB-keypad-usb as my "extra security-weapons" 
are there any other reliable open source hw-security devices out there that you 
guys would recommend? 

Would it be possible to add say some biometric security hardware and then have 
the full disk encryption work in such a way that 3 way authentication would be 
needed ? 

Also, we have the software based full disk encryption, and also the HW based 
OPAL full disk encryption, even though I trust the software based one the most, 
I would still like to also maximize the security of the samsung SED based one. 
Would it be possible to have 3-way authentication for both, while having unique 
keys each? 

What would be the best way to implement 3-way authentication? Most people 
advise me on using the combined output of all 3 hw keys, maybe even with some 
mechanism which unlocks a keyfile or something like that. But to me these 
things sound like they are not really thought trough; there has to be a better 
way to implement 3-way (or even 2 way) authentication, at-least for the 
software based FDE, and maybe even for the samsung OPAL one , right ? 

Also, what would you guys recommend me to use as encryption method? LVM-LUKS 
won't let me encrypt the boot partition, and it wont really allow me to use 
2-way authentication aswell. 

What would be the best way to go about encrypting my drive using the hardware 
available? (PGP-key, USB-keypad, "addyourown" 

I really hope we can start a discussion on these topics that will lead to a 
general what-should-I-buy advice when one wants maximum security from COTS 
hardware, and open software. 

- HQE

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d57bd23c-7bbc-4dc6-a28f-30f5d9012094%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Archlinux Community Template Qubes OS 3.2

[Franz]

On Mon, Dec 19, 2016 at 3:06 PM, J. Eppler  wrote:

> Hello,
>
> I just wanted to thank the person who created and uploaded the
> qubes-template-archlinux 3.0.6 to the Qubes OS 3.2 rpm repo.
>
> Saved a lot of work.
>
> You can installed it with:
> sudo qubes-dom0-update --enablerepo=qubes-templates-community
> qubes-template-archlinux
>
>
>
A really nice Christmas present! Thanks

When I digit
 sudo pacman-key -populate archlinux
I get
pacman-key: invalid option -- 'p'

Best
Fran


>
> regards
>   J. Eppler
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/d812aa94-1d7f-416c-a925-c3e0afa867bf%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCps07tLACMScw4jo%3DhwrgLk6HOd5i_OKa6EHfgECNmAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora-23 Software only shows already installed apps

[superlative]

On Wednesday, December 28, 2016 at 8:02:14 PM UTC-8, Andrew David Wong wrote:
> I've never tried the GUI package manager interface. Can you try just
> using dnf from the command-line? For example:
> 
> $ sudo dnf install 
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org

That worked thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d905bf56-46a3-4345-9ed0-0247ab733a6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to Backup Qubes Using New USB Hard Drive

[mojosam]

Andrew:

Success!  Everything works now.

When I sat down to do this, I realized that I actually only needed one USB 
qube, and that's the one that I do not want talking to dom0.  The keyboard and 
mouse are already talking to dom0, which I don't want to change.  It's all of 
the other USB devices that I want to send elsewhere.

So I set it all up as described above and in the documentation, and it's all 
working now.  I did the backup and tested the restore from backup.  Everything 
appears to be OK.

Thank you for your help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48d0f4e3-13eb-4d69-be2e-fee43ab29735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?

[HiringQubesExperts]

On Thursday, 8 December 2016 21:48:05 UTC+1, Marek Marczykowski-Górecki  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Thu, Dec 08, 2016 at 08:56:25AM -0800,  wrote:
> > Could someone maybe give some help with the error message?
> 
> The one about missing signed tags? They are in place already - simply
> retry. Take a look at "Qubes 4.0 development status update" message on
> qubes-devel.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJYScb8AAoJENuP0xzK19cs1wUH/ArYL1S9mfT3GXv8K7pn/xnM
> XVudxyPm/a1kx36Amg21w37d358vk8sT5tpZxvT2EjQxY9RnEWKc5B8EEMSPgQSY
> N71g2ZkPlQTbjwIZTeU1otM/tBnmMcQtifd2mAkkIJJAYcGtCijlnlePauBqaa10
> FXUxkVjEZs47cjF9n7f1mBwd5+4sONBWAxPBaHcgoiJTxFdQkzSDVWdtwrq57PQ9
> 1s/CF7IIv1+h3fHi5E3+/MqwKTdHgIlkYofaMU9A1z0L+08tCb6jpD2RcP9aP+Nj
> 52DCzp4rkjXdx5K1kJzaCgvGzL/7YII85MO/2f/CSozkXU/DdcGjgB8pXHM87ew=
> =j5Qa
> -END PGP SIGNATURE-

Im really sorry for the trouble, but I am still getting loads of errors all the 
way, even when modifying some things by hand to make it work, errors errors 
errors. 

Could you maybe make me a new config file, and make sure that it works before 
posting it? Maybe also post the exact steps you use to make the whole thing 
work ? Are you doing anything specials? Ignoring any stuff using -i while 
running the make command?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2276f1d-0d2c-443c-8676-26043cbb40ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] notify about updates of cloned template

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-28 16:03, Eva Star wrote:
> How to enable auto checking for updates and notify me if them
> exists on the cloned template?
> 
>> qubes-set-updates status
> vms: enable
> 
>> qvm-prefs -l fedora-24-clone
> updatable: True
> 
> But it does not check for updates!
> 

Update checks are typically run in VMs based on the template, so if
you haven't had any VMs running based on that template that can reach
update repos, that's probably why.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYZI5LAAoJENtN07w5UDAwtD8P/iDrR4Ghjhs7iABm7wG2ISA1
dvMFY4bCHBhD8hOZevHmoh0uN8tCvcbgHIdKW3lFMy9vgvFxpx86W/upx4p0BH08
YhTOdfNS1qX7naX3sh6pbo9G+OFIYnFYFNin3lmPQejIT3kjkhcL9taS9YoCn18C
QmWVHPM9atpKM5FnqNJvzHrwJ+nuD+9HNPM1nrWvY+M88NFM5dldWQWKRdcAofJJ
ZIzkefWX0XA1ORYM2Acrz41Mlb8kAB/Uv9sNS2uZdhPKre44ybaezazhRYuJJFoP
VWA8hAhnGdn2zIErHhwFM0v2j5Ckdi028eO6Kbzym2caMrdH3IZf3yZv0ZbPfaXF
o8TOcHejz37kZx/owowCU/i2GSt+4CLIugvHxTdm/gASl3bPymvc26I8ZNi0KcaN
vz4aGoV/CNObLACzEVfZurOdbNIbqsxbVh0vZmGyYWGZlNMSHGzLaihWPlCNpwVW
sOqW1lng0aQHMGX3zeslJrENpSFSRsOrguFhx9vOL//fyPQWmgM/RmyXCv6KkmjB
nFWW2tR7ar1MAMlUD+vpZga67lofHcRF/JzJAkKAuFzxtfyJ66fbN5xh9zDOj072
IYQBUMLx8gSyEt8MR28WglmB1qb4aCYv4caIMRsqQSzpQ1nEg/Gucx5sYv6aOlBd
4IlWr8cR5UEdx+p0kp3Z
=JNfG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee8e1a88-df93-ff5d-6124-9c028bae1e7a%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23

[mark]

My freezes for me are pretty random on dozens of different places during the 
Legacy and UEFI installs, something more than one RPM is broken. I'm blaming my 
Gigabyte Z97X Gaming mobo, F7 BIOS. I've ordered an ASRock Z97 Extreme6 mobo as 
that is known to work. I think it's the Gigabyte BIOS that isn't so hot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/756d0f87-0871-4e28-bd40-4e10b85626fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora-23 Software only shows already installed apps

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-28 13:22, superlative wrote:
> Hi, I can install packages from Debian-8 template VM Packages app 
> just fine. But Fedora-23 template VM doesn't have any packages 
> available in the Software app that I don't already have installed. 
> The only Software Sources that show up in Fedora-23 template VM 
> Software app is "Qubes OS Repository for VM (updates)". But in 
> Debian-8 template VM Packages app Package Sources are "Jessie 
> (main)", "Jessie (main contrib non-free)", and "Jessie updates
> (main contrib non-free)". Is it supposed to be like that?
> 
> Thanks
> 

I've never tried the GUI package manager interface. Can you try just
using dnf from the command-line? For example:

$ sudo dnf install 

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYZIq2AAoJENtN07w5UDAwva4P/0Xt5NA3BwjzvXXPyyr141Gb
ZYrjcyQPkxakEKnetKsq7aXwlosjeysbbtElzatUv+XNAk+G4FXE/GuK28SA6SD9
D9GWDiOf+/5zS9mQD5589JMUhQXvtcljxTPUBqfLCzy6lg8FlKN1tDFxVsvdF4m7
7S4YgUVbOLS5UXWWBrdw9z4L+Rz3qedF3z6UtD8doQk0sAJM2hmRB3Nej7OQeHch
u64Bq8i+kmT9RxjH+SKucHi7V2OUTjGobfFC5BklUU8g690nB542a7OjQzV5Bhoy
LJXn4E45aq6pERuSJjMFoxHzIOyaWV7zwGTvwl/95zuoKFc6GzyFIXDpiTYvRLz0
x61Zz0sGlaXUoY6HvcG9F0AU/8gB4XRpHOtOR0YDjb30HOw9OdKRx7W2rpfwijpV
36qba6k+PNayUZkq/mOGlqRUW8FtvbDcpY79k0Bqd4uAckWtnyGC5Ao2UV7xswa7
YiJPJ0WGFHcEypnPk7vdK6EInguyZCFi/9HtJc1mRTOgVb1Z9NhdNLuLD6ySIEWg
xJ0+qjffs6KSoLb+VTwTcqlRyhmtMsM+yWU0IAmFCssmJg8WG1OR0XzPUdZVq7NJ
k+B8fisiOlLAvtS0D3OyW1E5/eUCWK5mg32Vl8kRxhNl40G80jRT6O2HhtPhyIXR
/I2vJJWOYMBkU20cZyIf
=T9Kg
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4073e5ec-89b5-3c76-c96c-703c6496b0c8%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23

[plobbes]

I found the same problem on a fresh 3.2 install.  One data point of something 
that looked odd to me is that the sha1/sha256 sums are different between the 
RPM that's distributed as part of the installer and the supposedly same RPM 
available via the repo online...

The Qubes 3.2 installer iso has:

 .../Qubes-R3.2-x86_64/Packages/q
$ sha256sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 
c070ecb75b2580aec594d67afc833579c52ccb20e4acf5bc1797bbc93cefde26  
qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm
$ sha1sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 
cef6ddb660d0c9cb3fbee54230899ddeb2df64a6  
qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm

Trying to install this fails.

But the package I downloaded (from 
https://yum.qubes-os.org/r3.2/templates-itl/rpm/) has:

$ sha256sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 
0b751ae1c94747f026b33767437b25f5bf0d09857430bd7c080992b61a9ca244  
qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm
$ sha1sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 
5e1186e6fcd08e5b99432418655d49fa7fadf796  
qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm

I haven't yet tried to install this one so I'm not sure that explains anything 
yet, but it may be indicative of some problem.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f3f3e9b-df72-4d3f-bb84-463d0c27a4ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: trying to pass usb-headset to arch based standalone vm

['digitaldijjn' via qubes-users]

On Wednesday, December 28, 2016 at 10:39:56 PM UTC, digitaldijjn wrote:
> I'm trying to get a usb headset passed to my standalone vm so that I can get 
> the mic working for rosetta stone. I have wine configured and the program 
> installed, though when I pass the mic to the vm I can't detect from within 
> rosetta stone. I've heard that a way to work around this is to use a usb 
> headset. so right now I'm trying to pass that from sys-usb to arch using 
> qubes-usb
> 
> I have qubes-usb-proxy-sender installed in sys-usb, I just can't seem to find 
> the qubes-usb-proxy.x86_64 package online... 
> 
> I found the github page for qubes-app-input-proxy which said it needed to be 
> installed in dom0. I tried to and it's already installed. should I just try 
> to install that package in the standalone vm as well?

so I've managed to download the deb package from debian, transfer it to arch, 
and install it with debtap and pacman. when I try to use qvm-usb to transfer 
using the command:

qvm-usb -a  sys-usb:4-2

it tells me that qubes-usb-proxy is not installed in the VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f121af2d-f219-482c-a77b-1452a633962e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Lenovo X1 Carbon 4th Gen

[h221baker]

I was able to fix the suspend issue not working but updating my kernel to 
4.8.12 using:
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel

But then WIFI driver failed to reload after exiting suspsend, which got fixed 
following the steps here: https://www.qubes-os.org/doc/wireless-troubleshooting/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01222a33-351b-447b-a4d9-bb7b8a4a0905%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] notify about updates of cloned template

[Eva Star]

How to enable auto checking for updates and notify me if them exists on 
the cloned template?


> qubes-set-updates status
vms: enable

> qvm-prefs -l fedora-24-clone
updatable: True

But it does not check for updates!


--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/870c48c5-58df-bf3a-e63f-c2166db47ba2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Heads Bootloader

[Nicklaus McClendon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Trammell Hudson spoke a couple of days ago about a custom bootloader
designed to minimally load the OS in a secure manner, and mentioned he
got it compatible with Qubes. Does anyone here have any experience
with this?

Talk: https://www.youtube.com/watch?v=UqxRPLfrpfA
Repo: https://github.com/osresearch/heads
- -- 
kulinacs 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhkTL0ACgkQuXLc0JPg
MlavtA/9GuiOZUlM89830n/0xV7uOpVPksnUrgjY5DxSHwoPgC1mkUzQQvrdWhKO
1GCYen3cbE27Hoyr/I3czBcTfqIQV/yHlQNJDVwyyoQDyC3g3Zq8huS2uqdZjl7l
0TiCA+cZ0jc4xAmgty9YMcmpgTcRMRFzQIVD91zsoAJF8qT66q8FEwgb3YZBGlMp
HQ60JkEswDSkyhSy99Iaes3R7AiyXwR8b9+QUwKajwr7IQpdEFQytlxOYGhJXHD7
HRPflgTBSDHYj8zyPzcXHxx/IJw/C+Po+YuWTGy8uoQQzGLNPHwdcjRinRLj+Ru1
MKNUjjXqdRhw6QWBrej6U1fYdCqhg4udMCvDKkWa3xtnfFs+ZKPBU9pQccmGFwle
28EjyDwwakmrQdbVf8M1DvEWlVqBu7rP1BjDnmRJ1hGgnoO4To35gbh78p01/796
xmImBkTBPwNRM/BIrNWXinQtIdD+zHhb1LgRsUPNx9hCStnPCRC4RmkHonqS3Bry
sgSk1gzYiveb/P64Qm7sljxrevqLDoY4Gy4deuBcfDW2iZvqp71RI3QAIahVNlPF
bjjoLHLJ5wDbSP0xQQBQvTLDn0rgteryUHBkNsBdY07VUo8ZSX4K7wWTXsYNKX4Y
LmDOCw9UM6yBL8uaKxUYpeaR2NkdCKWgjqEKrvGb9fMul33Rtvo=
=863E
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b98ea523-70b2-e370-7bad-090a2548faed%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo X1 Carbon 4th Gen

[hj z]

I have tested Qubes 3.2 on my new X1 Carbon laptop, and things mostly
worked out of the box.

I was able to boot and install Qubes OS from USB via legacy boot mode.

I have 128G NVMe drive that came with the machine. It seems to work fine as
far as I can tell.

Sound/WIFI/SD Card/USB works out of the box.

The only issue I noticed is *suspend* mode seems to NOT work with VT-D
enabled.

-- 
h221baker

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CALLNp6cdLBxujeiTUTDLTx0kDDKf%2BQ9cKhdGZaSjMMQ6PMx%3DVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20FBCTO1WW-20161228-173545.yml
Description: application/yaml

[qubes-users] trying to pass usb-headset to arch based standalone vm

['digitaldijjn' via qubes-users]

I'm trying to get a usb headset passed to my standalone vm so that I can get 
the mic working for rosetta stone. I have wine configured and the program 
installed, though when I pass the mic to the vm I can't detect from within 
rosetta stone. I've heard that a way to work around this is to use a usb 
headset. so right now I'm trying to pass that from sys-usb to arch using 
qubes-usb

I have qubes-usb-proxy-sender installed in sys-usb, I just can't seem to find 
the qubes-usb-proxy.x86_64 package online... 

I found the github page for qubes-app-input-proxy which said it needed to be 
installed in dom0. I tried to and it's already installed. should I just try to 
install that package in the standalone vm as well?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59f75864-0948-484f-80e4-8ce10a30a88e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[john.david.r.smith]

if offloading is done for isos: ship the master key with qubes and
 provide a convenience command to the user. this command should
download (e.g. via torrent) and verify the image (a step the user
can'd do wrong anymore). this command could spawn a dispvm,
install torrent software, load the torrent and copy it to dom0.
from there the user could qvm-copy it to the vm with the install
medium.



This is a different proposal, and it would be a much larger
undertaking. It's certainly not something that the core Qubes devs
have time to do, so it would have to be a community-developed feature.
Would you like to take this project on?


my current idea:
 1) create a temporary download vm A
 2) use wget to get the signature + iso + release signing key

 4) create a temporary verify vm B
 5) copy the data from A to B
 6) destroy A

 7) copy the qubes-master key from dom0 to B
 4) set the master key to ultimate trust
 5) verify the release signing key
 6) check the signature
 7) copy the image to dom0
 8) destroy B

you also could do all steps in one vm.

i think this should be possible with the current tools. (i would have to 
look up how to do all this key management stuff via shell.


i have not this much time (and am not really skilled), but what i 
thought about would not be that much work.

if this solution is acceptable, i can give it a try.
it would be in form of some bash scripts.


maybe you could get other official repos to add them, too.
(debian (+ubuntu), fedora and arch should reach a significant
portion of the linux users)


Another interesting idea. I've never heard of a distro adding a
different OS's ISO as a package of their own, though.


asking can't hurt.



Well... why don't you ask them, then? :)


some random guy is more likely to be ignored than people officially 
connected to a project (but i could try to ask them and link them to 
this thread.)



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cb32011-da34-b4a0-e9cb-e7942a6fa308%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Firewall Rules for Printer Access?

[superlative]

Thanks for suggesting a network printer. That might be what I have to end up 
doing. But before I try that, I want to keep trying USB printer.

I'll try the USB passthrough method as soon as I figure out how to install 
qubes-usb-proxy on my Fedora-23 template VM Software app. I created a new 
thread in this forum to figure that out. It's called "Fedora-23 Software only 
shows already installed apps".

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bb662d1-c91a-45f4-a986-eec17102841a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VMs die when screen is locked for too long

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Dec 28, 2016 at 09:54:08AM +, Fred wrote:
> I've noticed this problem a few times now:
> 
> If the screen is locked for too long (this problem doesn't seem to occur
> if I unlock the screen a short time after the screen locking) when I
> unlock the screen the VMs that were running are now in a yellow state.
> There is an error message about error reclaiming memory or something
> like that. The memory in use for the VMs still seems to be there and the
> CPU is on 0%. Does this sound like some known open issue?

Is it about some specific VM, every time different one, or all of them?
I'd guess it may be about automatic system suspend after and on this
particular hardware sys-net does not survive it.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYZDGzAAoJENuP0xzK19csGVUH/RnA5B23j0G7+x+B+dSz5HG6
PuDwoi18+3UXvfGvmbT5IljbLEchgjs3tpzzzLez7znh4VLRUUbfMuzFKbYRdEFJ
8JAKCiMi3sNqm3I36MiD0z4VYX3fNg88dUs4Q73GYVZSUCVm7TmVZ7rpoVA3DZe7
+zPQKS+AT/dWEEgf1A8fQc1hJO2wUJBmFWZ8jCCB7WVoHn/LRvnb38oK6+0oOUIU
AReA7oYIJD1xFf7KgATmEv0uOh6kW3czdzGVgVFS8YhIu4bqQ/AtQ2S8nhHXFwc1
elq9HISyH47M5ss/ZBW6wy5nlVpxoFI1upmiM/zlsgiRRHOXePfMnKuvcwyVhbs=
=Mb/r
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161228214210.GN1159%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Synaptic touchpad not working through usbVM

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Dec 28, 2016 at 09:57:38AM +, Fred wrote:
> Hi all,
> 
> My touchpad doesn't work now that I've started using a usbVM. If I
> attach a USB mouse I get a prompt asking me if I wish to allow it. For
> the touchpad no prompt and it doesn't work even if I set the RPC policy
> for InputMouse to allow.

Interesting, do you have that touchpad really as a USB device? If so,
it's probably not supported by InputMouse service - probably we need
InputTouchpad, or sth like this.

It would be really helpful if you collect some more information:
1. Install 'evtest' tool in your template.
2. Restart sys-usb (or the whole system).
3. Launch terminal in sys-usb and call evtest on everything you find in
/dev/input - one of those should be your touchpad - post what you've got
there.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYZC+rAAoJENuP0xzK19cst7MIAIysSYusYzzEkhyaq31kpPvV
J82G9ZwaHRJxFl/R9hEnEIL/BZ0nbD7S/5oNMkXexaIfX/RP+FI58kdRDKBaH7c7
elc0d+hq9bIdCfCU4dxsM14vKURtdy1H/SDxzMnM/pXK48v/wZVpqyDQh63taR01
f0Abg5M0gtsa+zV99vhCLIhCgDOCJGnkF+VlplfT3axSeg0dCmFxSTy8xQ2qyNgP
3nxSfthWIL56B255wj4NGY3hZSN/qOtJ+kB3g9M/10kAjydANWFO0JgWIaIpn8YW
3V1wopSBChNoy1Efuoeu5EkMkrcBEVfRfk+YV6jygXMIpTRHyoZelFiNvzZhtaU=
=IOdm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161228213330.GM1159%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Fedora-23 Software only shows already installed apps

[superlative]

Hi,
I can install packages from Debian-8 template VM Packages app just fine. But 
Fedora-23 template VM doesn't have any packages available in the Software app 
that I don't already have installed. The only Software Sources that show up in 
Fedora-23 template VM Software app is "Qubes OS Repository for VM (updates)". 
But in Debian-8 template VM Packages app Package Sources are "Jessie (main)", 
"Jessie (main contrib non-free)", and "Jessie updates (main contrib non-free)". 
Is it supposed to be like that?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de7bfc2f-68e5-4816-ad67-98f0106c5c99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Dec 28, 2016 at 10:14:01AM +, Fred wrote:
> 
> So I have iTunes in a Qube -- the best place for it IMHO ;-).
> 
> I'd like to be able to use AirPlay. Since I'm not bridged and the
> AirPlay protocol uses mDNS/DNS-SD I need a way for the multicast to work
> from a Qube without violating any of the Qubes careful network design.
> 
> e.g. One idea is to have my Windows HVM have a direct non NAT'd
> connection. But I'm not sure how to do this and if it's even
> desirable/sensible from an isolation PoV.

Direct - not-NATed network access is very hard to achieve in Qubes
architecture.

> Another idea is to install/enable something like avahi in fedora23
> template and then on each network devices set it to reflect. I've not
> used avahi before but a) it's in fedora and even seems to be in the
> default template though disabled and b) seems like it's a one liner in
> its config to get cross subnet multicast working. 

As with most of network services - it will enlarge attack surface.
As for avahi - I don't know what exactly it's capable of - for example
can it be forced to remotely start other services/programs? Drill holes
in firewall (like UPNP)? Or "just" service discovery? Those are
questions to ask when you consider enabling network service.

> But I'm not sure what
> the consequences of that are. Another service enabled in the template
> just to satisfy a single Qubes requirements does seem to be a bit much.

You can start the service just in one Qube - simply start it in
/rw/config/rc.local there (remember to make the file executable!).

> Perhaps a third option is to create dedicated network infrastructure for
> the Windows HVM to use (sys-net-avahi sys-firewall-avahi).

You'll probably still need a single sys-net, unless you get multiple
network adapters. But separate sys-firewall makes some sense.

> I thought this might be a (semi)common issue and was keen to hear others
> suggestions or if not maybe a pointer in how to best solve the issue of
> Qubes consuming services which require cross-subnet or multicast
> support. I'd imagine this could also be a problem with other similar
> services (video, voice).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYZCUmAAoJENuP0xzK19csX/8H/iF7RTy72VXcSttW2GG1GYdS
JkjIy9Q1TfSgXI5BeQS5uuqEnKTqXSKZ2TlqyGsfwwJmQWkyhbeOQ0IBK09cb8t8
bRkwcsbksecMFFjcjxHJbDgE3PpOrer0+pMN+UMRGD59Eu7fnuyCGI1Pyf3L21To
yKCF+E0yiSjhGh5KjTFh5okLH+weKz6xzUDXUAZIpaYFUa8k5d4eYnTlu8HWnweW
xis+6o2ZgNPFMjmnG+GriUTWEvhQhn9ycWuYLXNBmuqsaEp0+2bTfvOnAK+xhd+S
t1bqrzP07y2Mswaf0265rC+XD0ka3kIqX4Zp1vALK40Vk8f8kp9dFMiQNC6wbFo=
=+HnN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161228204837.GK1159%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Q3.2 installation issues - x not starting on XPS13 HVW8J

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Dec 26, 2016 at 12:59:52PM +0100, Niels ten Oever wrote:
> On 12/24/2016 01:52 PM, Niels ten Oever wrote:
> > Hello all,
> > 
> > Merry christmas and thanks a lot for your awesome work on Qubes. I have
> > been trying to install Qubes R3.2-x86_64 on my XPS 13 - 9360HVW8J with a
> > Intel Core i7-7500U, but I've run into some problems. (My specific
> > laptop model is not mentioned in the HCL [0]).
> > 
> > Firstly the x server is not starting.
> > 
> > Secondly the text-based installer is running in a loop when I try set
> > the installation destination I run into the following error:
> > 
> > 'Encryption requested for LUKS device nvme0n1p2 but no encryption key
> > specified for this device', which seems to be a upstream problem [0]
> > 
> > I read about a kickstart file , but that seems to be for an older
> > version (Qubes R2) [1].
> > 
> > Any suggestions on how I could get this working? Thanks much in advance.
>
> Hi all,
> 
> Things I've tried thusfar:
> 
> - I tried in EFI and legacy mode,
> 
> - I verified the Internet Core I7 7500 Kaby Lake processor does VT-D and
> VT-X [0] and both are switched on in the bios.
> 
> - I've added nomodeset as a kernel option in xen.cfg
> 
> Still no luck with getting xserver to start during install process.
> 
> Any other hints? Would be much appreciated!

The kickstart way should still work. Other thing to try, is to take out
the disk, install in other machine and then put it back. Or, if that's
hard for hardware reasons (for example you don't have other machine
supporting nvme), install to USB stick (set the same partition size as
the target disk), then transfer installed system to your target machine
(just dd the whole disk).

> [0]
> https://ark.intel.com/products/95451/Intel-Core-i7-7500U-Processor-4M-Cache-up-to-3_50-GHz-
> > [0]
> > https://groups.google.com/forum/#!msg/qubes-users/-9qRHSkwfy8/CCx08nnTVEAJ
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1020345
> > [2]
> > https://groups.google.com/forum/#!msg/qubes-users/-9qRHSkwfy8/CCx08nnTVEAJ
> > 
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYZCS/AAoJENuP0xzK19csnpIH/2+1s2ex2slWRE/nLQrODTQr
XH95+jnTlhIE4ALUwIUzHuYtH7+D+j03A12QB1KniBN6941dvlhYin+fe1O4ld7x
uc/EQOcBicCTgWmhe0bGg0b2KG4dyWN2f2ElYjYMVm8RQQxhotB2YRt3ElZflJ2A
JQzCnmz1J9o/nrWGzKgpdLpDPBBwoEUvp6wC9mkNrHQ6CK6wp8a4sfKAm+2cRcFS
aC6Gpo/xc9kXqKgKGX82/ZiknX4SvFVoi+q8ad1PatSBhwJtWoK9KznJ2XIm3lQv
97a4k1rnVTkH5uewRZJaxnQoOIakP+mi8g6uVrfnlf27rylJxYCr53Q9s/vWyiY=
=WrMy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161228204654.GA9496%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-28 11:11, john.david.r.smith wrote:
>>> this may be a source of errors for some users, or even insecure
>>> (mitm + exchanging the master signing key information on the
>>> website + patching the downloaded image).
>> 
>> I know what you mean, but it's worth remembering that the Qubes 
>> Master Signing Key fingerprint is supposed to be verified 
>> out-of-band/multiband. So, in principle, replacing the key and/or
>> fingerprint only just qubes-os.org shouldn't work as a successful
>> attack vector.
> 
> 
> the problem is (as you wrote) 'supposed to be verified 
> out-of-band'. for some less technical people, even verifying the 
> signature is a huge step.

Yes, this is why we go to such great lengths to educate users about
this. Qubes is the sort of system that places ultimate trust in users
to safeguard their own security. There are too many ways for users to
shoot themselves in the feet that we can't prevent. Verifying the ISO
is just the first step, before Qubes is even installed. After Qubes is
installed, just think about how many ways there are for a user to
compromise dom0 or a TemplateVM if they're being reckless. (We try to
mitigate this by cutting off all network access from dom0 and allowing
network access only to the Updates Proxy for TemplateVMs, but there
are still uncountable ways to harm oneself.) Ultimately, Qubes is the
sort of OS where we have to educate users, and users have to be
willing to be educated. It's not the sort of OS where we can always
protect users from themselves.

> i am a fan of providing easy accessible security and using already
>  existing infrastructure.

Agreed.

> (in case of the dom0 repo, an ultimately trusted source).
> 

(I see that this was clarified in the other subthread.)

> also depending on the situation a mitm could replace the 
> fingerprint of different channels, too.
> 

The greater the number of alternative channels and the more different
they are (in terms of protocol, form, ownership, control, etc.), the
more difficult it would be for an attacker to replace them all. If a
user is very careful (e.g., checks from multiple computers over
different internet connections, VPNs, Tor circuits, Wi-Fi hotspots,
searches for and checks the fingerprint on webpages, PDFs, photos,
etc.), I think it would be exceedingly difficult even for a nation
state attacker to substitute every instance of the fingerprint that
the user could find on the internet (not to mention meatspace
channels). It would almost surely be easier to mount an attack in
other ways.

>>> also checking signatures manually should unnecessary since a 
>>> package manager is build to do such stuff.
>>> 
>>> i would propose to add the qubes-images as packages to the 
>>> repos.
>>> 
>> 
>> Interesting idea. I wonder whether this would count as a misuse 
>> of the repos/package manager.
>> 
>> One thing is that we'd like to offload most of the traffic to a 
>> mirror (e.g., mirrors.kernel.org, as we currently do).
> 
> if offloading is not done for isos: ad a "qubes-images" repo 
> providing the files and host it on your servers.
> 

We *do* want to (and currently do) offload most of the ISO-download
traffic onto third-party servers, since they're better able to handle
the load. This is why we provide mirrors.kernel.org as the default
download source for Qubes ISOs.

> if offloading is done for isos: ship the master key with qubes and
>  provide a convenience command to the user. this command should 
> download (e.g. via torrent) and verify the image (a step the user 
> can'd do wrong anymore). this command could spawn a dispvm,
> install torrent software, load the torrent and copy it to dom0.
> from there the user could qvm-copy it to the vm with the install
> medium.
> 

This is a different proposal, and it would be a much larger
undertaking. It's certainly not something that the core Qubes devs
have time to do, so it would have to be a community-developed feature.
Would you like to take this project on?

>>> maybe you could get other official repos to add them, too. 
>>> (debian (+ubuntu), fedora and arch should reach a significant 
>>> portion of the linux users)
>> 
>> Another interesting idea. I've never heard of a distro adding a 
>> different OS's ISO as a package of their own, though.
> 
> asking can't hurt.
> 

Well... why don't you ask them, then? :)

After all, Qubes is free and open-source software. You don't need our
permission to distribute it. :)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYZCMdAAoJENtN07w5UDAwBSMP/jhfnxe9QGFU4JzCyuoLtKHK
XfUAPibLUeSmum0lL0UpV9y3+v0gk0aKMVIXz4emthUSLjHgyTA8NmMzzqPXDl2g
YQQ0geO6aHgKNi2EM7V0ga/+o1jM96eS1DOzTEhvgcICBx14NpCG9E0zMs6NyS0n
n+nhqvp3/+sislXnTdVD71jWyfPTwIvubg3hHtle0ly5i+9iMb5nd0X7DCZy4Kga
1/OD6G4Ijpg5hRV6nJMYrrzh6vQX+E17M6dLNfddFXFJbiQZBTJYZvVnFS74uL86

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[john.david.r.smith]

the problem is (as you wrote) 'supposed to be verified out-of-band'.
for some less technical people, even verifying the signature is a huge
step.
i am a fan of providing easy accessible security and using already
existing infrastructure. (in case of the dom0 repo, an ultimately
trusted source).

I'm weary of calling the dom0 repo an ultimately trusted source, as it implies 
trust in all the related infrastructure (DNS, CAs, etc.) Package managers 
follow a trusted objects model. Each package's signature is verified before 
installing, meaning trust of the repo is not required.


ok, i was a bit imprecise.
i meant: packages loaded and verified (via signatures) from the repo for 
dom0 can be considered ultimately trusted.


if one of the installed packages of the dom0 repo is compromised, we 
have an attacker in do0 and it is game-over.

so we can assume these packages are ultimately trusted.


In either case however, a signing key must be distributed in such a fashion 
that it can be verified and, as such, Im not sure if this offers anything other 
than a wrapper around the signature verification step.

if you distribute the key with the os and it is living in dom0, it can 
only be changed by someone in dom0 -> game-over
so: if the key is compromised, you cant trust anything on this machine 
either it was somehow compromised during usage, or it was compromised 
from the beginning (via a compromised installation image)


if the key is in dom0 and you want to verify it over a different 
channel, you can load it into some vm and do this there.


the wrapper-function to download and check images is just convenience 
for a non-technical user.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0f4abff-a9d0-a1f4-72f3-c26ae643ab19%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[nicklaus]

>the problem is (as you wrote) 'supposed to be verified out-of-band'.
>for some less technical people, even verifying the signature is a huge
>step.
>i am a fan of providing easy accessible security and using already 
>existing infrastructure. (in case of the dom0 repo, an ultimately 
>trusted source).
I'm weary of calling the dom0 repo an ultimately trusted source, as it implies 
trust in all the related infrastructure (DNS, CAs, etc.) Package managers 
follow a trusted objects model. Each package's signature is verified before 
installing, meaning trust of the repo is not required. 

In either case however, a signing key must be distributed in such a fashion 
that it can be verified and, as such, Im not sure if this offers anything other 
than a wrapper around the signature verification step.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E25AD111-9DFC-4072-A294-AEECDB5FDA0A%40kulinacs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[john.david.r.smith]

this may be a source of errors for some users, or even insecure
(mitm + exchanging the master signing key information on the
website + patching the downloaded image).


I know what you mean, but it's worth remembering that the Qubes Master
Signing Key fingerprint is supposed to be verified
out-of-band/multiband. So, in principle, replacing the key and/or
fingerprint only just qubes-os.org shouldn't work as a successful
attack vector.



the problem is (as you wrote) 'supposed to be verified out-of-band'.
for some less technical people, even verifying the signature is a huge step.
i am a fan of providing easy accessible security and using already 
existing infrastructure. (in case of the dom0 repo, an ultimately 
trusted source).


also depending on the situation a mitm could replace the fingerprint of 
different channels, too.



also checking signatures manually should unnecessary since a
package manager is build to do such stuff.

i would propose to add the qubes-images as packages to the repos.



Interesting idea. I wonder whether this would count as a misuse of the
repos/package manager.

One thing is that we'd like to offload most of the traffic to a mirror
(e.g., mirrors.kernel.org, as we currently do).


if offloading is not done for isos: ad a "qubes-images" repo providing 
the files and host it on your servers.


if offloading is done for isos: ship the master key with qubes and 
provide a convenience command to the user.
this command should download (e.g. via torrent) and verify the image (a 
step the user can'd do wrong anymore).
this command could spawn a dispvm, install torrent software, load the 
torrent and copy it to dom0. from there the user could qvm-copy it to 
the vm with the install medium.



maybe you could get other official repos to add them, too. (debian
(+ubuntu), fedora and arch should reach a significant portion of
the linux users)


Another interesting idea. I've never heard of a distro adding a
different OS's ISO as a package of their own, though.


asking can't hurt.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9970659-6d3d-5fa8-4659-ee94648cb38e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Split GPG: thunderbird+enigmail stopped cache password

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-28 06:41, 5qtbx9+9hwav8wa98xp4 via qubes-users wrote:
>> In that case, there's no need to change the documentation, since
>> it already works as described (i.e., without a key passphrase).
> 
> Before the update was working fine with the password. Now the 
> QUBES_GPG_AUTOACCEPT is no longer respect as one have to type in
> the password every single time. With all due respect, you are not
> trying to convert a bug into a feature and claiming that this is
> the expected behavior, right ?
> 

Look, we've already explained (multiple times, in this very thread)
that PGP key passphrases may have to be disabled in order to get Split
GPG to work and why this is the case. Split GPG was designed with the
expectation that there would be no passphrase on the key. If it worked
well with a passphrase before the update, that was a fortuitous
coincidence. If, after the update, it no longer works well with a
passphrase (but still works just as well without one), then this
simply doesn't qualify as a bug according to the original design.

You've identified a certain property that used to exist but that was
never intended as a feature. Now that this property has ceased to
exist, you're claiming that a feature is missing and that a bug has
been introduced. That simply doesn't follow.

I understand that you want to use a passphrase on your key despite our
arguments against it (and despite offering no counterargument), and I
respect that. It's your right to do with your keys as you please,
whatever your reasons might be. However, I'm afraid Split GPG simply
wasn't intended to accommodate you. If you'd like Split GPG to support
keys with passphrases, then you're more than welcome to submit a patch
that implements it, and we'd be grateful for your contribution!

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYZAsUAAoJENtN07w5UDAwvQAP/jL0Vx13c/W5JNSjsYW0zb+3
6sc7P3KuNmFDpsgHC0R5kMpM1BtlDS9NNI4f8A6wa5U8lAJODWgi3ijzOoqX95yj
uTND54KYpUQF/TrTEWypsg08QxCXBWKeiKc9YGw68ArnjDWG4s6apN+ug1VTu4Ww
N1ATnPnfKR1kLW+CogIuoMS3jdHG6c5YVAUyjFt0Q61LgCoFf4t3VvkyY9k47G9i
7UIOf59brpmzmri5dCxKqdglTKjc1LRKpV4ETY5mZB1pslRnL+qeQpjhBJQrO6E0
DXzd2xWVHbfEhQNDoKo83+XUS5jlfxA/hqxLmP2OMCZQQeklHQRIlcqd6GlYUlUi
0LH5v16mrfLjE1n5Oj5X/ItOmy9DePnnc21DyYtrO5qAUgbtyfhOcsu+rpZv7O7S
nQUJ8Lcox/pnw0C/sdgOp6z71kQkkP9CLgcL9+Dcsz7iGlUuaELiOTSG52jjzjUB
h02M1u5C68m0uDjNF1jcIdsxB75pKEdAx3m8yShTqsZzMeS3VCyMwsci4G8ly2Ql
6WOFyOZw81BvhnF0UWSOhbqPiZQgXhxymjzz8FPSKjyLCJwOFKwb0sbJgamEihw9
sWrP8ZLee4fezT9QeiwzvslhESFd94nfNajPNSiNnLYjo/4x1Wo/ulpUcNQPVQhk
KNdYET1qD9EG/AcvqamW
=qoFo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3972e707-ceea-7e2b-7e72-670a1ce3cc5e%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: adding qubes images to the (qubes) repo

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-12-28 04:39, john.david.r.smith wrote:
> currently when i have qubes and need a new image (e.g. to 
> reinstall/install on a new machine), i need to download the image
> from qubes-os.org and then check the signature.
> 
> this may be a source of errors for some users, or even insecure 
> (mitm + exchanging the master signing key information on the
> website + patching the downloaded image).

I know what you mean, but it's worth remembering that the Qubes Master
Signing Key fingerprint is supposed to be verified
out-of-band/multiband. So, in principle, replacing the key and/or
fingerprint only just qubes-os.org shouldn't work as a successful
attack vector.

> also checking signatures manually should unnecessary since a
> package manager is build to do such stuff.
> 
> i would propose to add the qubes-images as packages to the repos.
> 

Interesting idea. I wonder whether this would count as a misuse of the
repos/package manager.

One thing is that we'd like to offload most of the traffic to a mirror
(e.g., mirrors.kernel.org, as we currently do).

> maybe you could get other official repos to add them, too. (debian
> (+ubuntu), fedora and arch should reach a significant portion of 
> the linux users)
> 

Another interesting idea. I've never heard of a distro adding a
different OS's ISO as a package of their own, though.

> also: is the public qubes master signing key somewher in dom0? in
> case a user has not saved it, this could circumvent the problem of
> an mitm exchanging the information about the signing key
> 

I recall someone suggesting this a long time ago, and I (think I) also
recall Marek doing it, but I can't find the original thread or issue,
and I don't see the key in `/etc/pki/rpm-gpg/`. Tracking:

https://github.com/QubesOS/qubes-issues/issues/2544

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYZAb2AAoJENtN07w5UDAwVmYQAL2DSynbnJaceUIR2Mv2hvCz
7lS6oq/4HIpUtj1DJbib041EniapfId/LFzZKeh5FoE2bEkhrBRezW2A5TG6N4Dt
AKtK9Vgtj84MEP8E2eb2xMyANZ2WXtCeEYN9n4lOKzx8ETg1ZS0r054CYA3lSsWk
oLuJO59RcSjXUMaP4Myj0KkOnYpT8+N/fhzB6aps8sG1TK1AlyAsnMygCQfMmkdp
k6apddL2E1ivEhvZKXN27dKbLxR12IMMDYKBzqb1edGTh4FaJ/4ulKPfFgAOiKQj
biWK+/75LCecNHkuPeEKtt3LdWqfIqNFTjLLgoTn3QpTeIIbx8Gf/lDIWLh/G7uJ
TXFpo9J94Ra1UB44zt5/D7NqK/n6jxDPM5pbYZrbgVacZ8nRxNCAW3jSJEhqMK75
2Pmx+0MGd29M6kb9Iawk34KdmW3dGt7Mmqp44ZRtgErVkRvwuF6SLqnotH8Sp0W4
lzW2RU+ZTt5UBin1HsWGiN4bljUhGBbC3m88lywp3XIwa0q13H9+cSywXzj52JID
quCS4UXe2uLazDCMES8QJzhSAim17PlO3LXmr5X0iuh7CUB6SOyXqbF/HrDmRKMA
3Be1wU7+vK/NGnSCD4X5ArIPou02UTjxyebciCHu1uKQKVHC2UE/YHHL+Opxw8td
Ex9Yvsv9l3hNJ0bjv+O+
=3jP9
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc34e4b7-84a6-25c7-e24e-719a28a8b36b%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Problem copying something from the work VM to dom0

[Steve Coleman]

On 12/28/2016 11:35 AM, 5qvig7+72wbojzjmyk1fzj62f3msv2h6s8ffn8 via 
qubes-users wrote:

Hello everyone;

I'm trying to copy a file from my work VM to dom0, I followed the doc on this 
matter https://www.qubes-os.org/doc/copy-from-dom0/

So I used the following line,

qvm-run --pass-io work 'cat /home/user/Downloads/theme.tar.gz' > 
/Downloads/theme.tar.gz


The directory /Downloads likely does not exist, so the redirection > 
can not create a file there, even as root.


Try "> ./Downloads/theme.tar.gz" instead and it may work for you, 
assuming you are in the home directory which has a Downloads 
subdirectory off of it.


Steve C.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/73ec9046-2508-1f0b-235a-5588373982e9%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Problem copying something from the work VM to dom0

[5qvig7+72wbojzjmyk1fzj62f3msv2h6s8ffn8 via qubes-users]

Hello everyone;

I'm trying to copy a file from my work VM to dom0, I followed the doc on this 
matter https://www.qubes-os.org/doc/copy-from-dom0/

So I used the following line,

qvm-run --pass-io work 'cat /home/user/Downloads/theme.tar.gz' > 
/Downloads/theme.tar.gz

However I get this error:

bash: /Downloads/theme.tar.gz: No such file or directory

Even when I use sudo qvm-run ...etc I get the same error.

How can I fix this?



Thanks and Happy end of the year!

Best wishes!






Sent using Guerrillamail.com
Block or report abuse: 
https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e30d77f392879874b93ec512c3c5d20e67%40guerrillamail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Split GPG: thunderbird+enigmail stopped cache password

[5qtbx9+9hwav8wa98xp4 via qubes-users]

In that case, there's no need to change the documentation, since it
already works as described (i.e., without a key passphrase).

Before the update was working fine with the password. Now the 
QUBES_GPG_AUTOACCEPT is no longer respect as one have to type in the password 
every single time. With all due respect, you are not trying to convert a bug 
into a feature and claiming that this is the expected behavior, right ?

The minimal template has a smaller attack surface in general, but it
doesn't come with Split GPG pre-installed. There is probably not a
significant difference, since the Split GPG protocol tightly controls
inter-VM data transfer. There is no general recommendation here, since
the degree to which the full vs. minimal template attack surface
matters depends on your threat model. For some people, it makes more
sense to save the disk space by not having an extra minimal template
for it. 

Thank in that case I'll opt to choose the fedora 24 normal template.






Sent using Guerrillamail.com
Block or report abuse: 
https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/780582b365e6e9715bac1b161e9ab71a2b29%40guerrillamail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] RFC: adding qubes images to the (qubes) repo

[john.david.r.smith]

currently when i have qubes and need a new image (e.g. to 
reinstall/install on a new machine), i need to download the image from 
qubes-os.org and then check the signature.


this may be a source of errors for some users, or even insecure
(mitm + exchanging the master signing key information on the website + 
patching the downloaded image).
also checking signatures manually should unnecessary since a package 
manager is build to do such stuff.


i would propose to add the qubes-images as packages to the repos.

maybe you could get other official repos to add them, too.
(debian (+ubuntu), fedora and arch should reach a significant portion of 
the linux users)


also: is the public qubes master signing key somewher in dom0?
in case a user has not saved it, this could circumvent the problem of an 
mitm exchanging the information about the signing key


-john

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a04c000f-b0c1-55e4-535f-50cc2e44b2ed%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?

[Fred]

Oh forgot to add. I did try setting the NetVM for the Windows HVM to
sys-net to no avail. Thought that might give a non-NAT'd direct connection.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d70a1ea-90c8-fee7-29a2-36b93f91c055%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?

[Fred]

So I have iTunes in a Qube -- the best place for it IMHO ;-).

I'd like to be able to use AirPlay. Since I'm not bridged and the
AirPlay protocol uses mDNS/DNS-SD I need a way for the multicast to work
from a Qube without violating any of the Qubes careful network design.

e.g. One idea is to have my Windows HVM have a direct non NAT'd
connection. But I'm not sure how to do this and if it's even
desirable/sensible from an isolation PoV.

Another idea is to install/enable something like avahi in fedora23
template and then on each network devices set it to reflect. I've not
used avahi before but a) it's in fedora and even seems to be in the
default template though disabled and b) seems like it's a one liner in
its config to get cross subnet multicast working. But I'm not sure what
the consequences of that are. Another service enabled in the template
just to satisfy a single Qubes requirements does seem to be a bit much.
Perhaps a third option is to create dedicated network infrastructure for
the Windows HVM to use (sys-net-avahi sys-firewall-avahi).

I thought this might be a (semi)common issue and was keen to hear others
suggestions or if not maybe a pointer in how to best solve the issue of
Qubes consuming services which require cross-subnet or multicast
support. I'd imagine this could also be a problem with other similar
services (video, voice).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d13245ad-a55c-3ce5-8c9d-75da72c37f64%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Synaptic touchpad not working through usbVM

[Fred]

Hi all,

My touchpad doesn't work now that I've started using a usbVM. If I
attach a USB mouse I get a prompt asking me if I wish to allow it. For
the touchpad no prompt and it doesn't work even if I set the RPC policy
for InputMouse to allow.

Thoughts?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c568c8ac-c8f6-8fda-be1c-847907c9574a%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VMs die when screen is locked for too long

[Fred]

I've noticed this problem a few times now:

If the screen is locked for too long (this problem doesn't seem to occur
if I unlock the screen a short time after the screen locking) when I
unlock the screen the VMs that were running are now in a yellow state.
There is an error message about error reclaiming memory or something
like that. The memory in use for the VMs still seems to be there and the
CPU is on 0%. Does this sound like some known open issue?

I'll grab more details the next time it happens.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08a8f325-486a-cb5b-fe55-72ba1417b80e%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.